nginx: src/event/ngx_event_openssl

annotate src/event/ngx_event_openssl_stapling.c @ 7667:1ece2ac2555a

OCSP: fixed use-after-free on error. When validating second and further certificates, ssl callback could be called twice to report the error. After the first call client connection is terminated and its memory is released. Prior to the second call and in it released connection memory is accessed. Errors triggering this behavior: - failure to create the request - failure to start resolving OCSP responder name - failure to start connecting to the OCSP responder The fix is to rearrange the code to eliminate the second call.

author	Roman Arutyunyan <arut@nginx.com>
date	Mon, 15 Jun 2020 20:17:16 +0300
parents	bd4d1b9db0ee
children	d752a2c76d49

rev	line source
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2 /*
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	3 * Copyright (C) Maxim Dounin
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	4 * Copyright (C) Nginx, Inc.
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	5 */
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	6
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	7
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	8 #include <ngx_config.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	9 #include <ngx_core.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	10 #include <ngx_event.h>
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	11 #include <ngx_event_connect.h>
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	12
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	13
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5683 diff changeset	14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	15
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	16
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	17 typedef struct {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	18 ngx_str_t staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	19 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	20
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	21 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	22 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	23
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	24 ngx_addr_t *addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	25 ngx_uint_t naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	26 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	27 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	28 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	29
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	30 SSL_CTX *ssl_ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	31
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	32 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	33 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	34 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	35
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	36 u_char *name;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	37
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	38 time_t valid;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	39 time_t refresh;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	40
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	41 unsigned verify:1;
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	42 unsigned loading:1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	43 } ngx_ssl_stapling_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	44
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	45
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	46 typedef struct {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	47 ngx_addr_t *addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	48 ngx_uint_t naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	49
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	50 ngx_str_t host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	51 ngx_str_t uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	52 in_port_t port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	53 ngx_uint_t depth;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	54
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	55 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	56
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	57 ngx_resolver_t *resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	58 ngx_msec_t resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	59 } ngx_ssl_ocsp_conf_t;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	60
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	61
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	62 typedef struct {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	63 ngx_rbtree_t rbtree;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	64 ngx_rbtree_node_t sentinel;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	65 ngx_queue_t expire_queue;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	66 } ngx_ssl_ocsp_cache_t;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	67
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	68
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	69 typedef struct {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	70 ngx_str_node_t node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	71 ngx_queue_t queue;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	72 int status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	73 time_t valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	74 } ngx_ssl_ocsp_cache_node_t;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	75
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	76
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	77 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	78
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	79
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	80 struct ngx_ssl_ocsp_s {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	81 STACK_OF(X509) *certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	82 ngx_uint_t ncert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	83
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	84 int cert_status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	85 ngx_int_t status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	86
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	87 ngx_ssl_ocsp_conf_t *conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	88 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	89 };
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	90
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	91
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	92 struct ngx_ssl_ocsp_ctx_s {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	93 SSL_CTX *ssl_ctx;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	94
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	95 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	96 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	97 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	98
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	99 int status;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	100 time_t valid;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	101
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	102 u_char *name;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	103
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	104 ngx_uint_t naddrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	105 ngx_uint_t naddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	106
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	107 ngx_addr_t *addrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	108 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	109 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	110 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	111
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	112 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	113 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	114
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	115 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	116
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	117 void (handler)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	118 void *data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	119
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	120 ngx_str_t key;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	121 ngx_buf_t *request;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	122 ngx_buf_t *response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	123 ngx_peer_connection_t peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	124
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	125 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	126
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	127 ngx_int_t (process)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	128
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	129 ngx_uint_t state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	130
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	131 ngx_uint_t code;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	132 ngx_uint_t count;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	133 ngx_uint_t flags;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	134 ngx_uint_t done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	135
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	136 u_char *header_name_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	137 u_char *header_name_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	138 u_char *header_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	139 u_char *header_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	140
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	141 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	142 ngx_log_t *log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	143 };
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	144
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	145
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	146 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	147 X509 cert, ngx_str_t file, ngx_str_t *responder, ngx_uint_t verify);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	148 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	149 ngx_ssl_stapling_t staple, ngx_str_t file);
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	150 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	151 ngx_ssl_stapling_t *staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	152 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	153 ngx_ssl_stapling_t staple, ngx_str_t responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	154
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	155 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	156 void *data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	157 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	158 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	159
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	160 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	161
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	162 static void ngx_ssl_stapling_cleanup(void *data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	163
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	164 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	165 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	166 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	167 ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	168
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	169 static ngx_ssl_ocsp_ctx_t ngx_ssl_ocsp_start(ngx_log_t log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	170 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx);
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	171 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	172 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	173 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	174 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	175 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	176 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	177 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	178
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	179 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	180 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	181 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	182 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	183 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	184 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx);
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	185 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	186
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	187 static ngx_int_t ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	188 static ngx_int_t ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	189 static ngx_int_t ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	190
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	191 static u_char ngx_ssl_ocsp_log_error(ngx_log_t log, u_char *buf, size_t len);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	192
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	193
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	194 ngx_int_t
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	195 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	196 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	197 {
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	198 X509 *cert;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	199
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	200 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	201 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	202 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	203 {
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	204 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	205 != NGX_OK)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	206 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	207 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	208 }
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	209 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	210
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	211 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	212
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	213 return NGX_OK;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	214 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	215
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	216
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	217 static ngx_int_t
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	218 ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl, X509 *cert,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	219 ngx_str_t file, ngx_str_t responder, ngx_uint_t verify)
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	220 {
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	221 ngx_int_t rc;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	222 ngx_pool_cleanup_t *cln;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	223 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	224
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	225 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	226 if (staple == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	227 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	228 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	229
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	230 cln = ngx_pool_cleanup_add(cf->pool, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	231 if (cln == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	232 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	233 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	234
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	235 cln->handler = ngx_ssl_stapling_cleanup;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	236 cln->data = staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	237
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	238 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	239 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	240 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	241 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	242
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	243 #ifdef SSL_CTRL_SELECT_CURRENT_CERT
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	244 /* OpenSSL 1.0.2+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	245 SSL_CTX_select_current_cert(ssl->ctx, cert);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	246 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	247
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	248 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	249 /* OpenSSL 1.0.1+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	250 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	251 #else
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	252 staple->chain = ssl->ctx->extra_certs;
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	253 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	254
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	255 staple->ssl_ctx = ssl->ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	256 staple->timeout = 60000;
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	257 staple->verify = verify;
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	258 staple->cert = cert;
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	259 staple->name = X509_get_ex_data(staple->cert,
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	260 ngx_ssl_certificate_name_index);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	261
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	262 if (file->len) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	263 /* use OCSP response from the file */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	264
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	265 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	266 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	267 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	268
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	269 return NGX_OK;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	270 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	271
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	272 rc = ngx_ssl_stapling_issuer(cf, ssl, staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	273
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	274 if (rc == NGX_DECLINED) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	275 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	276 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	277
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	278 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	279 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	280 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	281
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	282 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	283
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	284 if (rc == NGX_DECLINED) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	285 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	286 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	287
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	288 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	289 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	290 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	291
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	292 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	293 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	294
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	295
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	296 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	297 ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	298 ngx_ssl_stapling_t staple, ngx_str_t file)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	299 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	300 BIO *bio;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	301 int len;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	302 u_char p, buf;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	303 OCSP_RESPONSE *response;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	304
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	305 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	306 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	307 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	308
7485 edf5cd6c56fa OCSP stapling: open ssl_stapling_file in binary-mode. Sergey Kandaurov <pluknet@nginx.com> parents: 7067 diff changeset	309 bio = BIO_new_file((char *) file->data, "rb");
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	310 if (bio == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	312 "BIO_new_file(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	313 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	314 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	315
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	316 response = d2i_OCSP_RESPONSE_bio(bio, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	317 if (response == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	318 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	319 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	320 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	321 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	322 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	323
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	324 len = i2d_OCSP_RESPONSE(response, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	325 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	326 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	327 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	328 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	329 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	330
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	331 buf = ngx_alloc(len, ssl->log);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	332 if (buf == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	333 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	334 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	335
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	336 p = buf;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	337 len = i2d_OCSP_RESPONSE(response, &p);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	338 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	340 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	341 ngx_free(buf);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	342 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	343 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	344
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	345 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	346 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	347
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	348 staple->staple.data = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	349 staple->staple.len = len;
6205 dcae651b2a0c OCSP stapling: fixed ssl_stapling_file (ticket #769). Maxim Dounin <mdounin@mdounin.ru> parents: 6181 diff changeset	350 staple->valid = NGX_MAX_TIME_T_VALUE;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	351
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	352 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	353
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	354 failed:
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	355
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	356 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	357 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	358
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	359 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	360 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	361
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	362
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	363 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	364 ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	365 ngx_ssl_stapling_t *staple)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	366 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	367 int i, n, rc;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	368 X509 cert, issuer;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	369 X509_STORE *store;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	370 X509_STORE_CTX *store_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	371
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	372 cert = staple->cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	373
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	374 n = sk_X509_num(staple->chain);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	375
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	376 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	377 "SSL get issuer: %d extra certs", n);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	378
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	379 for (i = 0; i < n; i++) {
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	380 issuer = sk_X509_value(staple->chain, i);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	381 if (X509_check_issued(issuer, cert) == X509_V_OK) {
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	382 #if OPENSSL_VERSION_NUMBER >= 0x10100001L
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	383 X509_up_ref(issuer);
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	384 #else
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	385 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	386 #endif
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	387
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	388 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	389 "SSL get issuer: found %p in extra certs", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	390
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	391 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	392
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	393 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	394 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	395 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	396
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	397 store = SSL_CTX_get_cert_store(ssl->ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	398 if (store == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	399 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	400 "SSL_CTX_get_cert_store() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	401 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	402 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	403
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	404 store_ctx = X509_STORE_CTX_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	405 if (store_ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	406 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	407 "X509_STORE_CTX_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	408 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	409 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	410
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	411 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	413 "X509_STORE_CTX_init() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	414 X509_STORE_CTX_free(store_ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	415 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	416 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	417
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	418 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	419
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	420 if (rc == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	421 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	422 "X509_STORE_CTX_get1_issuer() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	423 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	424 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	425 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	426
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	427 if (rc == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	428 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	429 "\"ssl_stapling\" ignored, "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	430 "issuer certificate not found for certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	431 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	432 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	433 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	434 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	435
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	436 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	437
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	439 "SSL get issuer: found %p in cert store", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	440
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	441 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	442
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	443 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	444 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	445
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	446
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	447 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	448 ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	449 ngx_ssl_stapling_t staple, ngx_str_t responder)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	450 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	451 char *s;
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	452 ngx_str_t rsp;
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	453 ngx_url_t u;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	454 STACK_OF(OPENSSL_STRING) *aia;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	455
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	456 if (responder->len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	457
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	458 /* extract OCSP responder URL from certificate */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	459
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	460 aia = X509_get1_ocsp(staple->cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	461 if (aia == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	462 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	463 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	464 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	465 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	466 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	467 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	468
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	469 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	470 s = sk_OPENSSL_STRING_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	471 #else
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	472 s = sk_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	473 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	474 if (s == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	475 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	476 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	477 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	478 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	479 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	480 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	481 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	482
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	483 responder = &rsp;
6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	484
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	485 responder->len = ngx_strlen(s);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	486 responder->data = ngx_palloc(cf->pool, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	487 if (responder->data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	488 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	489 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	490 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	491
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	492 ngx_memcpy(responder->data, s, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	493 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	494 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	495
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	496 ngx_memzero(&u, sizeof(ngx_url_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	497
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	498 u.url = *responder;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	499 u.default_port = 80;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	500 u.uri_part = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	501
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	502 if (u.url.len > 7
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	503 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	504 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	505 u.url.len -= 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	506 u.url.data += 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	507
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	508 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	509 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	510 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	511 "invalid URL prefix in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	512 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	513 &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	514 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	515 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	516
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	517 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	518 if (u.err) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	519 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	520 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	521 "%s in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	522 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	523 u.err, &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	524 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	525 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	526
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	527 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	528 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	529
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	530 staple->addrs = u.addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	531 staple->naddrs = u.naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	532 staple->host = u.host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	533 staple->uri = u.uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	534 staple->port = u.port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	535
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	536 if (staple->uri.len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	537 ngx_str_set(&staple->uri, "/");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	538 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	539
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	540 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	541 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	542
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	543
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	544 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	545 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	546 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	547 {
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	548 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	549 ngx_ssl_stapling_t *staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	550
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	551 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	552 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	553 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	554 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	555 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	556 staple->resolver = resolver;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	557 staple->resolver_timeout = resolver_timeout;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	558 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	559
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	560 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	561 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	562
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	563
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	564 static int
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	565 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t ssl_conn, void data)
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	566 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	567 int rc;
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	568 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	569 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	570 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	571 ngx_ssl_stapling_t *staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	572
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	573 c = ngx_ssl_get_connection(ssl_conn);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	574
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	575 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	576 "SSL certificate status callback");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	577
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	578 rc = SSL_TLSEXT_ERR_NOACK;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	579
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	580 cert = SSL_get_certificate(ssl_conn);
7493 dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	581
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	582 if (cert == NULL) {
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	583 return rc;
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	584 }
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	585
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	586 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	587
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	588 if (staple == NULL) {
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	589 return rc;
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	590 }
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	591
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	592 if (staple->staple.len
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	593 && staple->valid >= ngx_time())
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	594 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	595 /* we have to copy ocsp response as OpenSSL will free it by itself */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	596
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	597 p = OPENSSL_malloc(staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	598 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	599 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	600 return SSL_TLSEXT_ERR_NOACK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	601 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	602
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	603 ngx_memcpy(p, staple->staple.data, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	604
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	605 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	606
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	607 rc = SSL_TLSEXT_ERR_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	608 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	609
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	610 ngx_ssl_stapling_update(staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	611
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	612 return rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	613 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	614
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	615
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	616 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	617 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	618 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	619 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	620
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	621 if (staple->host.len == 0
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	622 \|\| staple->loading \|\| staple->refresh >= ngx_time())
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	623 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	624 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	625 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	626
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	627 staple->loading = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	628
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	629 ctx = ngx_ssl_ocsp_start(ngx_cycle->log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	630 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	631 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	632 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	633
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	634 ctx->ssl_ctx = staple->ssl_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	635 ctx->cert = staple->cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	636 ctx->issuer = staple->issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	637 ctx->chain = staple->chain;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	638 ctx->name = staple->name;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	639 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	640
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	641 ctx->addrs = staple->addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	642 ctx->naddrs = staple->naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	643 ctx->host = staple->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	644 ctx->uri = staple->uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	645 ctx->port = staple->port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	646 ctx->timeout = staple->timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	647
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	648 ctx->resolver = staple->resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	649 ctx->resolver_timeout = staple->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	650
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	651 ctx->handler = ngx_ssl_stapling_ocsp_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	652 ctx->data = staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	653
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	654 ngx_ssl_ocsp_request(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	655
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	656 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	657 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	658
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	659
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	660 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	661 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	662 {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	663 time_t now;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	664 ngx_str_t response;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	665 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	666
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	667 staple = ctx->data;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	668 now = ngx_time();
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	669
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	670 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	671 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	672 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	673
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	674 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	675 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	676 "certificate status \"%s\" in the OCSP response",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	677 OCSP_cert_status_str(ctx->status));
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	678 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	679 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	680
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	681 /* copy the response to memory not in ctx->pool */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	682
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	683 response.len = ctx->response->last - ctx->response->pos;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	684 response.data = ngx_alloc(response.len, ctx->log);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	685
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	686 if (response.data == NULL) {
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	687 goto error;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	688 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	689
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	690 ngx_memcpy(response.data, ctx->response->pos, response.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	691
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	692 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	693 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	694 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	695
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	696 staple->staple = response;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	697 staple->valid = ctx->valid;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	698
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	699 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	700 * refresh before the response expires,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	701 * but not earlier than in 5 minutes, and at least in an hour
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	702 */
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	703
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	704 staple->loading = 0;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	705 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	706
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	707 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	708 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	709
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	710 error:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	711
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	712 staple->loading = 0;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	713 staple->refresh = now + 300;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	714
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	715 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	716 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	717
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	718
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	719 static time_t
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	720 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time)
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	721 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	722 BIO *bio;
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	723 char *value;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	724 size_t len;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	725 time_t time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	726
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	727 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	728 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	729 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(),
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	730 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	731 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	732 */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	733
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	734 bio = BIO_new(BIO_s_mem());
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	735 if (bio == NULL) {
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	736 return NGX_ERROR;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	737 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	738
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	739 /* fake weekday prepended to match C asctime() format */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	740
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	741 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	742 ASN1_GENERALIZEDTIME_print(bio, asn1time);
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	743 len = BIO_get_mem_data(bio, &value);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	744
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	745 time = ngx_parse_http_time((u_char *) value, len);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	746
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	747 BIO_free(bio);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	748
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	749 return time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	750 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	751
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	752
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	753 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	754 ngx_ssl_stapling_cleanup(void *data)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	755 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	756 ngx_ssl_stapling_t *staple = data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	757
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	758 if (staple->issuer) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	759 X509_free(staple->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	760 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	761
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	762 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	763 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	764 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	765 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	766
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	767
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	768 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	769 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	770 ngx_uint_t depth, ngx_shm_zone_t *shm_zone)
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	771 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	772 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	773 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	774
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	775 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	776 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	777 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	778 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	779
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	780 ocf->depth = depth;
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	781 ocf->shm_zone = shm_zone;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	782
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	783 if (responder->len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	784 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	785
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	786 u.url = *responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	787 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	788 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	789
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	790 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	791 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	792 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	793 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	794 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	795
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	796 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	797 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	798 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	799 "in \"ssl_ocsp_responder\"", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	800 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	801 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	802
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	803 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	804 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	805 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	806 "%s in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	807 "in \"ssl_ocsp_responder\"", u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	808 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	809
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	810 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	811 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	812
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	813 ocf->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	814 ocf->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	815 ocf->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	816 ocf->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	817 ocf->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	818 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	819
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	820 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	821 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	822 "SSL_CTX_set_ex_data() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	823 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	824 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	825
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	826 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	827 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	828
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	829
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	830 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	831 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	832 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	833 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	834 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	835
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	836 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	837 ocf->resolver = resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	838 ocf->resolver_timeout = resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	839
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	840 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	841 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	842
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	843
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	844 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	845 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	846 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	847 X509 *cert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	848 SSL_CTX *ssl_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	849 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	850 X509_STORE *store;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	851 X509_STORE_CTX *store_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	852 STACK_OF(X509) *chain;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	853 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	854 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	855
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	856 if (c->ssl->in_ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	857 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	858 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	859 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	860
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	861 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	862 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	863 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	864
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	865 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	866 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	867
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	868 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	869
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	870 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	871 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	872 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	873 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	874
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	875 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	876 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	877 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	878
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	879 cert = SSL_get_peer_certificate(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	880 if (cert == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	881 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	882 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	883
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	885 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	886 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	887 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	888
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	889 c->ssl->ocsp = ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	890
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	891 ocsp->status = NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	892 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	893 ocsp->conf = ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	894
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	895 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	896
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	897 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	898
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	899 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	900 ocsp->certs = X509_chain_up_ref(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	901 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	902 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	903 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	904 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	905
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	906 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	907
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	908 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	909 store = SSL_CTX_get_cert_store(ssl_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	910 if (store == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	911 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	912 "SSL_CTX_get_cert_store() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	913 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	914 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	915
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	916 store_ctx = X509_STORE_CTX_new();
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	917 if (store_ctx == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	918 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	919 "X509_STORE_CTX_new() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	920 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	921 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	922
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	923 chain = SSL_get_peer_cert_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	924
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	925 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	926 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	927 "X509_STORE_CTX_init() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	928 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	929 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	930 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	931
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	932 rc = X509_verify_cert(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	933 if (rc <= 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	934 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	935 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	936 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	937 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	938
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	939 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	940 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	941 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	942 "X509_STORE_CTX_get1_chain() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	943 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	944 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	945 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	946
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	947 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	948 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	949
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	950 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
7655 bd4d1b9db0ee Fixed format specifiers. Sergey Kandaurov <pluknet@nginx.com> parents: 7654 diff changeset	951 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs));
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	952
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	953 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	954
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	955 if (ocsp->status == NGX_AGAIN) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	956 c->ssl->in_ocsp = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	957 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	958 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	959
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	960 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	961 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	962
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	963
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	964 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	965 ngx_ssl_ocsp_validate_next(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	966 {
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	967 ngx_int_t rc;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	968 ngx_uint_t n;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	969 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	970 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	971 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	972
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	973 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	974 ocf = ocsp->conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	975
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	976 n = sk_X509_num(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	977
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	978 for ( ;; ) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	979
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	980 if (ocsp->ncert == n - 1 \|\| (ocf->depth == 2 && ocsp->ncert == 1)) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	981 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	982 "ssl ocsp validated, certs:%ui", ocsp->ncert);
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	983 rc = NGX_OK;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	984 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	985 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	986
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	987 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	988 "ssl ocsp validate cert:%ui", ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	989
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	990 ctx = ngx_ssl_ocsp_start(c->log);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	991 if (ctx == NULL) {
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	992 rc = NGX_ERROR;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	993 goto done;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	994 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	995
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	996 ocsp->ctx = ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	997
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	998 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	999 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1000 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1001 ctx->chain = ocsp->certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1002
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1003 ctx->resolver = ocf->resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1004 ctx->resolver_timeout = ocf->resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1005
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1006 ctx->handler = ngx_ssl_ocsp_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1007 ctx->data = c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1008
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1009 ctx->shm_zone = ocf->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1010
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1011 ctx->addrs = ocf->addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1012 ctx->naddrs = ocf->naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1013 ctx->host = ocf->host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1014 ctx->uri = ocf->uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1015 ctx->port = ocf->port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1016
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1017 rc = ngx_ssl_ocsp_responder(c, ctx);
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1018 if (rc != NGX_OK) {
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1019 goto done;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1020 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1021
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1022 if (ctx->uri.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1023 ngx_str_set(&ctx->uri, "/");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1024 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1025
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1026 ocsp->ncert++;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1027
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1028 rc = ngx_ssl_ocsp_cache_lookup(ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1029
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1030 if (rc == NGX_ERROR) {
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1031 goto done;
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1032 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1033
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1034 if (rc == NGX_DECLINED) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1035 break;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1036 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1037
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1038 /* rc == NGX_OK */
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1039
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1040 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1041 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1042 "ssl ocsp cached status \"%s\"",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1043 OCSP_cert_status_str(ctx->status));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1044 ocsp->cert_status = ctx->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1045 goto done;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1046 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1047
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1048 ocsp->ctx = NULL;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1049 ngx_ssl_ocsp_done(ctx);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1050 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1051
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1052 ngx_ssl_ocsp_request(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1053 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1054
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1055 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1056
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1057 ocsp->status = rc;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1058
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1059 if (c->ssl->in_ocsp) {
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1060 c->ssl->handshaked = 1;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1061 c->ssl->handler(c);
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1062 }
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1063 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1064
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1065
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1066 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1067 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1068 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1069 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1070 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1071 ngx_connection_t *c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1072
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1073 c = ctx->data;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1074 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1075 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1076
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1077 rc = ngx_ssl_ocsp_verify(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1078 if (rc != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1079 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1080 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1081
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1082 rc = ngx_ssl_ocsp_cache_store(ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1083 if (rc != NGX_OK) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1084 goto done;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1085 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1086
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1087 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1088 ocsp->cert_status = ctx->status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1089 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1090 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1091
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1092 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1093
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1094 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1095
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1096 return;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1097
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1098 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1099
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1100 ocsp->status = rc;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1101 ngx_ssl_ocsp_done(ctx);
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1102
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1103 if (c->ssl->in_ocsp) {
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1104 c->ssl->handshaked = 1;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1105 c->ssl->handler(c);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1106 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1107 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1108
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1109
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1110 static ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1111 ngx_ssl_ocsp_responder(ngx_connection_t c, ngx_ssl_ocsp_ctx_t ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1112 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1113 char *s;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1114 ngx_str_t responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1115 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1116 STACK_OF(OPENSSL_STRING) *aia;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1117
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1118 if (ctx->host.len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1119 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1120 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1121
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1122 /* extract OCSP responder URL from certificate */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1123
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1124 aia = X509_get1_ocsp(ctx->cert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1125 if (aia == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1126 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1127 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1128 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1129 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1130
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1131 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1132 s = sk_OPENSSL_STRING_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1133 #else
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1134 s = sk_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1135 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1136 if (s == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1137 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1138 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1139 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1140 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1141 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1142
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1143 responder.len = ngx_strlen(s);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1144 responder.data = ngx_palloc(ctx->pool, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1145 if (responder.data == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1146 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1147 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1148 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1149
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1150 ngx_memcpy(responder.data, s, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1151 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1152
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1153 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1154
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1155 u.url = responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1156 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1157 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1158 u.no_resolve = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1159
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1160 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1161 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1162 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1163 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1164 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1165
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1166 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1167 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1168 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1169 "in certificate", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1170 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1171 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1172
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1173 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1174 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1175 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1176 "%s in OCSP responder \"%V\" in certificate",
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1177 u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1178 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1179
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1180 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1181 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1182
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1183 if (u.host.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1184 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1185 "empty host in OCSP responder in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1186 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1187 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1188
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1189 ctx->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1190 ctx->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1191 ctx->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1192 ctx->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1193 ctx->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1194
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1195 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1196 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1197
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1198
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1199 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1200 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1201 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1202 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1203
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1204 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1205 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1206 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1207 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1208
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1209 if (ocsp->status == NGX_ERROR) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1210 *s = "certificate status request failed";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1211 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1212 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1213
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1214 switch (ocsp->cert_status) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1215
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1216 case V_OCSP_CERTSTATUS_GOOD:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1217 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1218
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1219 case V_OCSP_CERTSTATUS_REVOKED:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1220 *s = "certificate revoked";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1221 break;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1222
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1223 default: /* V_OCSP_CERTSTATUS_UNKNOWN */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1224 *s = "certificate status unknown";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1225 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1226
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1227 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1228 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1229
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1230
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1231 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1232 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1233 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1234 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1235
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1236 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1237 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1238 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1239 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1240
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1241 if (ocsp->ctx) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1242 ngx_ssl_ocsp_done(ocsp->ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1243 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1244 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1245
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1246 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1247 sk_X509_pop_free(ocsp->certs, X509_free);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1248 ocsp->certs = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1249 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1250 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1251
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1252
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1253 static ngx_ssl_ocsp_ctx_t *
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1254 ngx_ssl_ocsp_start(ngx_log_t *log)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1255 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1256 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1257 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1258
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1259 pool = ngx_create_pool(2048, log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1260 if (pool == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1261 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1262 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1263
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1264 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1265 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1266 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1267 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1268 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1269
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1270 log = ngx_palloc(pool, sizeof(ngx_log_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1271 if (log == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1272 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1273 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1274 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1275
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1276 ctx->pool = pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1277
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1278 log = ctx->pool->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1279
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1280 ctx->pool->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1281 ctx->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1282
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1283 log->handler = ngx_ssl_ocsp_log_error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1284 log->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1285 log->action = "requesting certificate status";
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1286
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1287 return ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1288 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1289
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1290
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1291 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1292 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1293 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1294 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1295 "ssl ocsp done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1296
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1297 if (ctx->peer.connection) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1298 ngx_close_connection(ctx->peer.connection);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1299 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1300
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1301 ngx_destroy_pool(ctx->pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1302 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1303
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1304
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1305 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1306 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1307 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1308 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1309 "ssl ocsp error");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1310
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1311 ctx->code = 0;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1312 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1313 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1314
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1315
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1316 static void
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1317 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx)
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1318 {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1319 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1320 "ssl ocsp next");
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1321
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1322 if (++ctx->naddr >= ctx->naddrs) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1323 ngx_ssl_ocsp_error(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1324 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1325 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1326
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1327 ctx->request->pos = ctx->request->start;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1328
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1329 if (ctx->response) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1330 ctx->response->last = ctx->response->pos;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1331 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1332
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1333 if (ctx->peer.connection) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1334 ngx_close_connection(ctx->peer.connection);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1335 ctx->peer.connection = NULL;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1336 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1337
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1338 ctx->state = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1339 ctx->count = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1340 ctx->done = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1341
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1342 ngx_ssl_ocsp_connect(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1343 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1344
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1345
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1346 static void
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1347 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1348 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1349 ngx_resolver_ctx_t *resolve, temp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1350
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1351 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1352 "ssl ocsp request");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1353
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1354 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1355 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1356 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1357 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1358
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1359 if (ctx->resolver) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1360 /* resolve OCSP responder hostname */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1361
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1362 temp.name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1363
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1364 resolve = ngx_resolve_start(ctx->resolver, &temp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1365 if (resolve == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1366 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1367 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1368 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1369
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1370 if (resolve == NGX_NO_RESOLVER) {
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1371 if (ctx->naddrs == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1372 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1373 "no resolver defined to resolve %V", &ctx->host);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1374
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1375 ngx_ssl_ocsp_error(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1376 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1377 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1378
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1379 ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1380 "no resolver defined to resolve %V", &ctx->host);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1381 goto connect;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1382 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1383
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1384 resolve->name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1385 resolve->handler = ngx_ssl_ocsp_resolve_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1386 resolve->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1387 resolve->timeout = ctx->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1388
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1389 if (ngx_resolve_name(resolve) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1390 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1391 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1392 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1393
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1394 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1395 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1396
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1397 connect:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1398
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1399 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1400 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1401
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1402
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1403 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1404 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1405 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1406 ngx_ssl_ocsp_ctx_t *ctx = resolve->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1407
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1408 u_char *p;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1409 size_t len;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1410 socklen_t socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1411 ngx_uint_t i;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1412 struct sockaddr *sockaddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1413
5234 a855ae7e6377 OCSP stapling: fixed incorrect debug level. Ruslan Ermilov <ru@nginx.com> parents: 5215 diff changeset	1414 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1415 "ssl ocsp resolve handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1416
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1417 if (resolve->state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1418 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1419 "%V could not be resolved (%i: %s)",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1420 &resolve->name, resolve->state,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1421 ngx_resolver_strerror(resolve->state));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1422 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1423 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1424
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1425 #if (NGX_DEBUG)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1426 {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1427 u_char text[NGX_SOCKADDR_STRLEN];
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1428 ngx_str_t addr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1429
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1430 addr.data = text;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1431
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1432 for (i = 0; i < resolve->naddrs; i++) {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1433 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1434 resolve->addrs[i].socklen,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1435 text, NGX_SOCKADDR_STRLEN, 0);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1436
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1437 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1438 "name was resolved to %V", &addr);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1439
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1440 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1441 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1442 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1443
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1444 ctx->naddrs = resolve->naddrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1445 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1446
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1447 if (ctx->addrs == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1448 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1449 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1450
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1451 for (i = 0; i < resolve->naddrs; i++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1452
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1453 socklen = resolve->addrs[i].socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1454
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1455 sockaddr = ngx_palloc(ctx->pool, socklen);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1456 if (sockaddr == NULL) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1457 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1458 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1459
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1460 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen);
6593 b3b7e33083ac Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. Roman Arutyunyan <arut@nginx.com> parents: 6549 diff changeset	1461 ngx_inet_set_port(sockaddr, ctx->port);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1462
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1463 ctx->addrs[i].sockaddr = sockaddr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1464 ctx->addrs[i].socklen = socklen;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1465
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1466 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1467 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1468 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1469 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1470
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1471 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1472
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1473 ctx->addrs[i].name.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1474 ctx->addrs[i].name.data = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1475 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1476
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1477 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1478
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1479 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1480 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1481
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1482 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1483
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1484 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1485 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1486 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1487
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1488
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1489 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1490 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1491 {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1492 ngx_int_t rc;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1493 ngx_addr_t *addr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1494
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1495 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1496 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1497
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1498 addr = &ctx->addrs[ctx->naddr];
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1499
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1500 ctx->peer.sockaddr = addr->sockaddr;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1501 ctx->peer.socklen = addr->socklen;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1502 ctx->peer.name = &addr->name;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1503 ctx->peer.get = ngx_event_get_peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1504 ctx->peer.log = ctx->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1505 ctx->peer.log_error = NGX_ERROR_ERR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1506
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1507 rc = ngx_event_connect_peer(&ctx->peer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1508
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1509 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1510 "ssl ocsp connect peer done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1511
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1512 if (rc == NGX_ERROR) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1513 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1514 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1515 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1516
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1517 if (rc == NGX_BUSY \|\| rc == NGX_DECLINED) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1518 ngx_ssl_ocsp_next(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1519 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1520 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1521
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1522 ctx->peer.connection->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1523 ctx->peer.connection->pool = ctx->pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1524
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1525 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1526 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1527
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1528 ctx->process = ngx_ssl_ocsp_process_status_line;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1529
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1530 if (ctx->timeout) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1531 ngx_add_timer(ctx->peer.connection->read, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1532 ngx_add_timer(ctx->peer.connection->write, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1533 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1534
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1535 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1536 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1537 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1538 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1539 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1540
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1541
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1542 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1543 ngx_ssl_ocsp_write_handler(ngx_event_t *wev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1544 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1545 ssize_t n, size;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1546 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1547 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1548
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1549 c = wev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1550 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1551
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1552 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1553 "ssl ocsp write handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1554
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1555 if (wev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1556 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1557 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1558 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1559 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1560 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1561
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1562 size = ctx->request->last - ctx->request->pos;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1563
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1564 n = ngx_send(c, ctx->request->pos, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1565
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1566 if (n == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1567 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1568 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1569 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1570
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1571 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1572 ctx->request->pos += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1573
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1574 if (n == size) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1575 wev->handler = ngx_ssl_ocsp_dummy_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1576
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1577 if (wev->timer_set) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1578 ngx_del_timer(wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1579 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1580
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1581 if (ngx_handle_write_event(wev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1582 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1583 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1584
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1585 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1586 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1587 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1588
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1589 if (!wev->timer_set && ctx->timeout) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1590 ngx_add_timer(wev, ctx->timeout);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1591 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1592 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1593
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1594
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1595 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1596 ngx_ssl_ocsp_read_handler(ngx_event_t *rev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1597 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1598 ssize_t n, size;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1599 ngx_int_t rc;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1600 ngx_connection_t *c;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1601 ngx_ssl_ocsp_ctx_t *ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1602
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1603 c = rev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1604 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1605
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1606 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1607 "ssl ocsp read handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1608
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1609 if (rev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1610 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1611 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1612 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1613 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1614 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1615
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1616 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1617 ctx->response = ngx_create_temp_buf(ctx->pool, 16384);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1618 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1619 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1620 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1621 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1622 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1623
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1624 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1625
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1626 size = ctx->response->end - ctx->response->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1627
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1628 n = ngx_recv(c, ctx->response->last, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1629
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1630 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1631 ctx->response->last += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1632
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1633 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1634
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1635 if (rc == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1636 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1637 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1638 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1639
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1640 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1641 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1642
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1643 if (n == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1644
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1645 if (ngx_handle_read_event(rev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1646 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1647 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1648
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1649 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1650 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1651
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1652 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1653 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1654
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1655 ctx->done = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1656
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1657 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1658
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1659 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1660 /* ctx->handler() was called */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1661 return;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1662 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1663
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1664 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1665 "OCSP responder prematurely closed connection");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1666
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1667 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1668 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1669
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1670
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1671 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1672 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1673 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1674 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1675 "ssl ocsp dummy handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1676 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1677
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1678
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1679 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1680 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1681 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1682 int len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1683 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1684 uintptr_t escape;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1685 ngx_str_t binary, base64;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1686 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1687 OCSP_CERTID *id;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1688 OCSP_REQUEST *ocsp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1689
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1690 ocsp = OCSP_REQUEST_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1691 if (ocsp == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1692 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1693 "OCSP_REQUEST_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1694 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1695 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1696
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1697 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1698 if (id == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1699 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1700 "OCSP_cert_to_id() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1701 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1702 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1703
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1704 if (OCSP_request_add0_id(ocsp, id) == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1705 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1706 "OCSP_request_add0_id() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	1707 OCSP_CERTID_free(id);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1708 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1709 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1710
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1711 len = i2d_OCSP_REQUEST(ocsp, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1712 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1713 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1714 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1715 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1716 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1717
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1718 binary.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1719 binary.data = ngx_palloc(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1720 if (binary.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1721 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1722 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1723
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1724 p = binary.data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1725 len = i2d_OCSP_REQUEST(ocsp, &p);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1726 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1727 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1728 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1729 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1730 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1731
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1732 base64.len = ngx_base64_encoded_length(binary.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1733 base64.data = ngx_palloc(ctx->pool, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1734 if (base64.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1735 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1736 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1737
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1738 ngx_encode_base64(&base64, &binary);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1739
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1740 escape = ngx_escape_uri(NULL, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1741 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1742
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1743 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1744 "ssl ocsp request length %z, escape %d",
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6206 diff changeset	1745 base64.len, (int) escape);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1746
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1747 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1748 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1749 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1750 + sizeof(CRLF) - 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1751
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1752 b = ngx_create_temp_buf(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1753 if (b == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1754 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1755 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1756
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1757 p = b->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1758
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1759 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1760 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1761
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1762 if (ctx->uri.data[ctx->uri.len - 1] != '/') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1763 *p++ = '/';
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1764 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1765
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1766 if (escape == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1767 p = ngx_cpymem(p, base64.data, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1768
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1769 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1770 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1771 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1772 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1773
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1774 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1775 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1776 p = ngx_cpymem(p, ctx->host.data, ctx->host.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1777 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1778
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1779 /* add "\r\n" at the header end */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1780 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1781
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1782 b->last = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1783 ctx->request = b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1784
5683 48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1785 OCSP_REQUEST_free(ocsp);
48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1786
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1787 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1788
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1789 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1790
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1791 OCSP_REQUEST_free(ocsp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1792
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1793 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1794 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1795
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1796
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1797 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1798 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1799 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1800 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1801
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1802 rc = ngx_ssl_ocsp_parse_status_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1803
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1804 if (rc == NGX_OK) {
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1805 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1806 "ssl ocsp status %ui \"%*s\"",
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1807 ctx->code,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1808 ctx->header_end - ctx->header_start,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1809 ctx->header_start);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1810
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1811 ctx->process = ngx_ssl_ocsp_process_headers;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1812 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1813 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1814
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1815 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1816 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1817 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1818
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1819 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1820
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1821 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1822 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1823
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1824 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1825 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1826
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1827
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1828 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1829 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1830 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1831 u_char ch;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1832 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1833 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1834 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1835 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1836 sw_H,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1837 sw_HT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1838 sw_HTT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1839 sw_HTTP,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1840 sw_first_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1841 sw_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1842 sw_first_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1843 sw_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1844 sw_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1845 sw_space_after_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1846 sw_status_text,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1847 sw_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1848 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1849
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1850 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1851 "ssl ocsp process status line");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1852
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1853 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1854 b = ctx->response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1855
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1856 for (p = b->pos; p < b->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1857 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1858
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1859 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1860
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1861 /* "HTTP/" */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1862 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1863 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1864 case 'H':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1865 state = sw_H;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1866 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1867 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1868 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1869 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1870 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1871
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1872 case sw_H:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1873 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1874 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1875 state = sw_HT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1876 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1877 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1878 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1879 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1880 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1881
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1882 case sw_HT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1883 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1884 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1885 state = sw_HTT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1886 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1887 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1888 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1889 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1890 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1891
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1892 case sw_HTT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1893 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1894 case 'P':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1895 state = sw_HTTP;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1896 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1897 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1898 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1899 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1900 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1901
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1902 case sw_HTTP:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1903 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1904 case '/':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1905 state = sw_first_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1906 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1907 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1908 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1909 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1910 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1911
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1912 /* the first digit of major HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1913 case sw_first_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1914 if (ch < '1' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1915 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1916 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1917
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1918 state = sw_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1919 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1920
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1921 /* the major HTTP version or dot */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1922 case sw_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1923 if (ch == '.') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1924 state = sw_first_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1925 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1926 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1927
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1928 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1929 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1930 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1931
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1932 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1933
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1934 /* the first digit of minor HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1935 case sw_first_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1936 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1937 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1938 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1939
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1940 state = sw_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1941 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1942
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1943 /* the minor HTTP version or the end of the request line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1944 case sw_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1945 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1946 state = sw_status;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1947 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1948 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1949
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1950 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1951 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1952 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1953
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1954 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1955
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1956 /* HTTP status code */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1957 case sw_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1958 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1959 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1960 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1961
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1962 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1963 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1964 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1965
7067 e3723f2a11b7 Parenthesized ASCII-related calculations. Valentin Bartenev <vbart@nginx.com> parents: 6842 diff changeset	1966 ctx->code = ctx->code * 10 + (ch - '0');
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1967
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1968 if (++ctx->count == 3) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1969 state = sw_space_after_status;
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1970 ctx->header_start = p - 2;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1971 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1972
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1973 break;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1974
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1975 /* space or end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1976 case sw_space_after_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1977 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1978 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1979 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1980 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1981 case '.': /* IIS may send 403.1, 403.2, etc */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1982 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1983 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1984 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1985 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1986 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1987 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1988 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1989 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1990 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1991 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1992 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1993 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1994
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1995 /* any text until end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1996 case sw_status_text:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1997 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1998 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1999 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2000 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2001 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	2002 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2003 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2004 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2005 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2006
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2007 /* end of status line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2008 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2009 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2010 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	2011 ctx->header_end = p - 1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2012 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2013 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2014 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2015 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2016 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2017 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2018
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2019 b->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2020 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2021
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2022 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2023
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2024 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2025
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2026 b->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2027 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2028
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2029 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2030 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2031
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2032
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2033 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2034 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2035 {
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2036 size_t len;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2037 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2038
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2039 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2040 "ssl ocsp process headers");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2041
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2042 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2043 rc = ngx_ssl_ocsp_parse_header_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2044
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2045 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2046
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2047 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2048 "ssl ocsp header \"%s: %s\"",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2049 ctx->header_name_end - ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2050 ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2051 ctx->header_end - ctx->header_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2052 ctx->header_start);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2053
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2054 len = ctx->header_name_end - ctx->header_name_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2055
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2056 if (len == sizeof("Content-Type") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2057 && ngx_strncasecmp(ctx->header_name_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2058 (u_char *) "Content-Type",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2059 sizeof("Content-Type") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2060 == 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2061 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2062 len = ctx->header_end - ctx->header_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2063
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2064 if (len != sizeof("application/ocsp-response") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2065 \|\| ngx_strncasecmp(ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2066 (u_char *) "application/ocsp-response",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2067 sizeof("application/ocsp-response") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2068 != 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2069 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2070 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2071 "OCSP responder sent invalid "
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2072 "\"Content-Type\" header: \"%*s\"",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2073 ctx->header_end - ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2074 ctx->header_start);
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2075 return NGX_ERROR;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2076 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2077
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2078 continue;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2079 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2080
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2081 /* TODO: honor Content-Length */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2082
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2083 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2084 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2085
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2086 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2087 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2088 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2089
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2090 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2091 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2092 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2093
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2094 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2095
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2096 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2097 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2098
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2099 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2100 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2101
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2102 ctx->process = ngx_ssl_ocsp_process_body;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2103 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2104 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2105
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2106
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2107 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2108 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2109 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2110 u_char c, ch, *p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2111 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2112 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2113 sw_name,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2114 sw_space_before_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2115 sw_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2116 sw_space_after_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2117 sw_almost_done,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2118 sw_header_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2119 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2120
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2121 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2122
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2123 for (p = ctx->response->pos; p < ctx->response->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2124 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2125
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2126 #if 0
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2127 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2128 "s:%d in:'%02Xd:%c'", state, ch, ch);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2129 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2130
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2131 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2132
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2133 /* first char */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2134 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2135
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2136 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2137 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2138 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2139 state = sw_header_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2140 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2141 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2142 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2143 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2144 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2145 state = sw_name;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2146 ctx->header_name_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2147
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2148 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2149 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2150 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2151 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2152
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2153 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2154 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2155 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2156
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2157 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2158 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2159 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2160
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2161 /* header name */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2162 case sw_name:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2163 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2164 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2165 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2166 }
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2167
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2168 if (ch == ':') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2169 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2170 state = sw_space_before_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2171 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2172 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2173
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2174 if (ch == '-') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2175 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2176 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2177
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2178 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2179 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2180 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2181
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2182 if (ch == CR) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2183 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2184 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2185 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2186 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2187 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2188 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2189
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2190 if (ch == LF) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2191 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2192 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2193 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2194 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2195 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2196
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2197 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2198
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2199 /* space* before header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2200 case sw_space_before_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2201 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2202 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2203 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2204 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2205 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2206 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2207 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2208 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2209 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2210 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2211 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2212 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2213 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2214 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2215 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2216 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2217 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2218 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2219
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2220 /* header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2221 case sw_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2222 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2223 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2224 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2225 state = sw_space_after_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2226 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2227 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2228 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2229 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2230 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2231 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2232 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2233 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2234 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2235 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2236
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2237 /* space* before end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2238 case sw_space_after_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2239 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2240 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2241 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2242 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2243 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2244 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2245 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2246 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2247 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2248 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2249 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2250 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2251 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2252
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2253 /* end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2254 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2255 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2256 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2257 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2258 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2259 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2260 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2261
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2262 /* end of header */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2263 case sw_header_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2264 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2265 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2266 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2267 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2268 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2269 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2270 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2271 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2272
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2273 ctx->response->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2274 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2275
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2276 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2277
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2278 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2279
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2280 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2281 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2282
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2283 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2284
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2285 header_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2286
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2287 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2288 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2289
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2290 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2291 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2292
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2293
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2294 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2295 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2296 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2297 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2298 "ssl ocsp process body");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2299
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2300 if (ctx->done) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2301 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2302 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2303 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2304
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2305 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2306 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2307
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2308
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2309 static ngx_int_t
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2310 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2311 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2312 int n;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2313 size_t len;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2314 X509_STORE *store;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2315 const u_char *p;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2316 OCSP_CERTID *id;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2317 OCSP_RESPONSE *ocsp;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2318 OCSP_BASICRESP *basic;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2319 ASN1_GENERALIZEDTIME thisupdate, nextupdate;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2320
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2321 ocsp = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2322 basic = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2323 id = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2324
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2325 if (ctx->code != 200) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2326 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2327 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2328
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2329 /* check the response */
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2330
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2331 len = ctx->response->last - ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2332 p = ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2333
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2334 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2335 if (ocsp == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2336 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2337 "d2i_OCSP_RESPONSE() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2338 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2339 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2340
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2341 n = OCSP_response_status(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2342
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2343 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2344 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2345 "OCSP response not successful (%d: %s)",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2346 n, OCSP_response_status_str(n));
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2347 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2348 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2349
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2350 basic = OCSP_response_get1_basic(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2351 if (basic == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2352 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2353 "OCSP_response_get1_basic() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2354 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2355 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2356
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2357 store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2358 if (store == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2359 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2360 "SSL_CTX_get_cert_store() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2361 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2362 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2363
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	2364 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2365 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2366 "OCSP_basic_verify() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2367 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2368 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2369
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2370 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2371 if (id == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2372 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2373 "OCSP_cert_to_id() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2374 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2375 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2376
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2377 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2378 &thisupdate, &nextupdate)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2379 != 1)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2380 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2381 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2382 "certificate status not found in the OCSP response");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2383 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2384 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2385
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2386 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2387 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2388 "OCSP_check_validity() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2389 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2390 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2391
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2392 if (nextupdate) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2393 ctx->valid = ngx_ssl_stapling_time(nextupdate);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2394 if (ctx->valid == (time_t) NGX_ERROR) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2395 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2396 "invalid nextUpdate time in certificate status");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2397 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2398 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2399
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2400 } else {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2401 ctx->valid = NGX_MAX_TIME_T_VALUE;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2402 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2403
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2404 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2405 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2406 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2407
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2408 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2409 "ssl ocsp response, %s, %uz",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2410 OCSP_cert_status_str(ctx->status), len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2411
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2412 return NGX_OK;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2413
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2414 error:
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2415
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2416 if (id) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2417 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2418 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2419
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2420 if (basic) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2421 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2422 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2423
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2424 if (ocsp) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2425 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2426 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2427
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2428 return NGX_ERROR;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2429 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2430
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2431
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2432 ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2433 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t shm_zone, void data)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2434 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2435 size_t len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2436 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2437 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2438
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2439 if (data) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2440 shm_zone->data = data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2441 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2442 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2443
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2444 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2445
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2446 if (shm_zone->shm.exists) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2447 shm_zone->data = shpool->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2448 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2449 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2450
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2451 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_ocsp_cache_t));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2452 if (cache == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2453 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2454 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2455
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2456 shpool->data = cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2457 shm_zone->data = cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2458
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2459 ngx_rbtree_init(&cache->rbtree, &cache->sentinel,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2460 ngx_str_rbtree_insert_value);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2461
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2462 ngx_queue_init(&cache->expire_queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2463
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2464 len = sizeof(" in OCSP cache \"\"") + shm_zone->shm.name.len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2465
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2466 shpool->log_ctx = ngx_slab_alloc(shpool, len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2467 if (shpool->log_ctx == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2468 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2469 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2470
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2471 ngx_sprintf(shpool->log_ctx, " in OCSP cache \"%V\"%Z",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2472 &shm_zone->shm.name);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2473
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2474 shpool->log_nomem = 0;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2475
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2476 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2477 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2478
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2479
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2480 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2481 ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2482 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2483 uint32_t hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2484 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2485 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2486 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2487 ngx_ssl_ocsp_cache_node_t *node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2488
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2489 shm_zone = ctx->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2490
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2491 if (shm_zone == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2492 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2493 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2494
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2495 if (ngx_ssl_ocsp_create_key(ctx) != NGX_OK) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2496 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2497 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2498
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2499 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache lookup");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2500
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2501 cache = shm_zone->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2502 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2503 hash = ngx_hash_key(ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2504
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2505 ngx_shmtx_lock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2506
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2507 node = (ngx_ssl_ocsp_cache_node_t *)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2508 ngx_str_rbtree_lookup(&cache->rbtree, &ctx->key, hash);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2509
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2510 if (node) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2511 if (node->valid > ngx_time()) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2512 ctx->status = node->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2513 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2514
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2515 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2516 "ssl ocsp cache hit, %s",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2517 OCSP_cert_status_str(ctx->status));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2518
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2519 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2520 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2521
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2522 ngx_queue_remove(&node->queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2523 ngx_rbtree_delete(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2524 ngx_slab_free_locked(shpool, node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2525
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2526 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2527
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2528 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2529 "ssl ocsp cache expired");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2530
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2531 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2532 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2533
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2534 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2535
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2536 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache miss");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2537
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2538 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2539 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2540
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2541
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2542 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2543 ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2544 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2545 time_t now, valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2546 uint32_t hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2547 ngx_queue_t *q;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2548 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2549 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2550 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2551 ngx_ssl_ocsp_cache_node_t *node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2552
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2553 shm_zone = ctx->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2554
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2555 if (shm_zone == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2556 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2557 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2558
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2559 valid = ctx->valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2560
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2561 now = ngx_time();
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2562
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2563 if (valid < now) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2564 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2565 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2566
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2567 if (valid == NGX_MAX_TIME_T_VALUE) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2568 valid = now + 3600;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2569 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2570
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2571 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2572 "ssl ocsp cache store, valid:%T", valid - now);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2573
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2574 cache = shm_zone->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2575 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2576 hash = ngx_hash_key(ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2577
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2578 ngx_shmtx_lock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2579
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2580 node = ngx_slab_calloc_locked(shpool,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2581 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2582 if (node == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2583
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2584 if (!ngx_queue_empty(&cache->expire_queue)) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2585 q = ngx_queue_last(&cache->expire_queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2586 node = ngx_queue_data(q, ngx_ssl_ocsp_cache_node_t, queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2587
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2588 ngx_rbtree_delete(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2589 ngx_queue_remove(q);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2590 ngx_slab_free_locked(shpool, node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2591
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2592 node = ngx_slab_alloc_locked(shpool,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2593 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2594 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2595
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2596 if (node == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2597 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2598 ngx_log_error(NGX_LOG_ALERT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2599 "could not allocate new entry%s", shpool->log_ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2600 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2601 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2602 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2603
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2604 node->node.str.len = ctx->key.len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2605 node->node.str.data = (u_char *) node + sizeof(ngx_ssl_ocsp_cache_node_t);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2606 ngx_memcpy(node->node.str.data, ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2607 node->node.node.key = hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2608 node->status = ctx->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2609 node->valid = valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2610
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2611 ngx_rbtree_insert(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2612 ngx_queue_insert_head(&cache->expire_queue, &node->queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2613
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2614 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2615
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2616 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2617 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2618
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2619
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2620 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2621 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2622 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2623 u_char *p;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2624 X509_NAME *name;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2625 ASN1_INTEGER *serial;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2626
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2627 p = ngx_pnalloc(ctx->pool, 60);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2628 if (p == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2629 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2630 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2631
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2632 ctx->key.data = p;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2633 ctx->key.len = 60;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2634
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2635 name = X509_get_subject_name(ctx->issuer);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2636 if (X509_NAME_digest(name, EVP_sha1(), p, NULL) == 0) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2637 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2638 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2639
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2640 p += 20;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2641
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2642 if (X509_pubkey_digest(ctx->issuer, EVP_sha1(), p, NULL) == 0) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2643 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2644 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2645
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2646 p += 20;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2647
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2648 serial = X509_get_serialNumber(ctx->cert);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2649 if (serial->length > 20) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2650 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2651 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2652
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2653 p = ngx_cpymem(p, serial->data, serial->length);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2654 ngx_memzero(p, 20 - serial->length);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2655
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2656 #if (NGX_DEBUG)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2657 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2658 u_char buf[120];
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2659
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2660 ngx_hex_dump(buf, ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2661
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2662 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7655 bd4d1b9db0ee Fixed format specifiers. Sergey Kandaurov <pluknet@nginx.com> parents: 7654 diff changeset	2663 "ssl ocsp key %*s", sizeof(buf), buf);
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2664 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2665 #endif
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2666
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2667 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2668 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2669
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2670
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2671 static u_char *
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2672 ngx_ssl_ocsp_log_error(ngx_log_t log, u_char buf, size_t len)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2673 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2674 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2675 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2676
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2677 p = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2678
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2679 if (log->action) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2680 p = ngx_snprintf(buf, len, " while %s", log->action);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2681 len -= p - buf;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2682 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2683 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2684
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2685 ctx = log->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2686
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2687 if (ctx) {
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2688 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2689 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2690 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2691 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2692
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2693 if (ctx && ctx->peer.name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2694 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2695 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2696 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2697 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2698
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2699 if (ctx && ctx->name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2700 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2701 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2702 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2703 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2704
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2705 return p;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2706 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2707
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2708
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2709 #else
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2710
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2711
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2712 ngx_int_t
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2713 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2714 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2715 {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2716 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2717 "\"ssl_stapling\" ignored, not supported");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2718
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2719 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2720 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2721
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2722
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2723 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2724 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2725 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2726 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2727 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2728 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2729
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2730
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2731 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2732 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2733 ngx_uint_t depth, ngx_shm_zone_t *shm_zone)
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2734 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2735 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2736 "\"ssl_ocsp\" is not supported on this platform");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2737
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2738 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2739 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2740
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2741
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2742 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2743 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2744 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2745 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2746 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2747 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2748
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2749
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2750 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2751 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2752 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2753 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2754 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2755
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2756
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2757 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2758 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2759 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2760 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2761 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2762
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2763
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2764 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2765 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2766 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2767 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2768
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2769
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2770 ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2771 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t shm_zone, void data)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2772 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2773 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2774 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2775
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2776
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2777 #endif

Mercurial > hg > nginx

annotate src/event/ngx_event_openssl_stapling.c @ 7667:1ece2ac2555a